New Java Exploit Puts All Users at Risk

Below:

Next story in Security

A previously unknown security flawin the latest version of Java
is now so widespread that it could, according to cybercrime
reporter Brian Krebs, affect 1 billion computers.

The vulnerability, which was discovered in
the wild last week, puts all Java 7 users at risk. (If you
haven't updated, don't ―the flaw exists only in the latest
version; those who are still working with Java 6 need not
fear.)

Security testing company Rapid7 said the proof was rolled into a
Metasploit module that can exploit the flaw on Chrome in Mac OS X
and on Windows XP. No platform is safe from this security flaw.

Krebs said in his blog that the creator of
the BlackHole exploit kit, a popular malware-installing tool
that is available for purchase in online black markets, was
surprised anyone would just give this exploit away. According
to the BlackHole creator, selling the exploit could have
fetched $100,000.

According to statistics that Seculert shared with Krebs, now that
the BlackHole kit has the Java zero-day exploit onboard, it's
twice as effective. The kit, which infects the machines that
visit a site it's lurking on, has a new success rate of 21
percent, up from about 11 percent.

The hack is valuable because it's so reliable. According to
Immunity Inc. developer Esteban Guillardoy, who provides a
detailed breakdown of the vulnerability
here, the hack "provides 100 percent reliability"
and, because it works on all operating systems, it "will
shortly become the penetration-test Swiss knife for the next
couple of years."

While the real solution to the problem is an official patch from
Oracle, the technology giant is known for keeping a rigorous
schedule when rolling out updates and fixes. Despite all the
flack that’s likely heade their way, the next update shouldn’t be
expected until October.

While this exploit has mainly been used in targeted attacks for
stealing government or corporate secrets, a lot of security
experts suggest uninstalling or disabling Java immediately.
Sophos has instructions for doing so on its
NakedSecurity blog.

While the real solution to the problem is an official patch from
Oracle, the technology giant is known for keeping a rigorous
schedule when rolling out updates and fixes. Despite all the
flack that’s likely heade their way, the next update shouldn’t be
expected until October.

This exploit has mainly been used in targeted attacks for
stealing government or corporate secrets butmany security experts
suggest immediately uninstalling or disabling Java altogether
anyway. Sophos has instructions for doing so on their
NakedSecurity blog.